CWE
Home > CWE List > CWE-23 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-23 Individual Dictionary Definition (Draft 9)

Relative Path Traversal
Weakness ID
Status: Draft

23 (Weakness Base)

Description

Summary

The software, when constructing file or directory names from input, does not properly sanitize sequences such as ".." that resolve to a file or directory name that is outside of the intended directory.

Potential Mitigations

see the vulnerability category "Path Traversal"

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class22Path Traversal
ParentOfWeakness VariantWeakness VariantWeakness Variant24Path Traversal: '../filedir'
ParentOfWeakness VariantWeakness VariantWeakness Variant25Path Traversal: '/../filedir'
ParentOfWeakness VariantWeakness VariantWeakness Variant26Path Traversal: '/dir/../filename'
ParentOfWeakness VariantWeakness VariantWeakness Variant27Path Traversal: 'dir/../../filename'
ParentOfWeakness VariantWeakness VariantWeakness Variant28Path Traversal: '..\filename'
ParentOfWeakness VariantWeakness VariantWeakness Variant29Path Traversal: '\..\filename'
ParentOfWeakness VariantWeakness VariantWeakness Variant30Path Traversal: '\dir\..\filename'
ParentOfWeakness VariantWeakness VariantWeakness Variant31Path Traversal: 'dir\..\filename'
ParentOfWeakness VariantWeakness VariantWeakness Variant32Path Traversal: '...' (Triple Dot)
ParentOfWeakness VariantWeakness VariantWeakness Variant33Path Traversal: '....' (Multiple Dot)
ParentOfWeakness VariantWeakness VariantWeakness Variant34Path Traversal: '....//'
ParentOfWeakness VariantWeakness VariantWeakness Variant35Path Traversal: '.../...//'
Source Taxonomies

PLOVER - Relative Path Traversal

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
76Manipulating Input to File System Calls
23File System Function Injection, Content Based
Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us